Skip to main content

New Page

 

we will touch on cyber crimes and data breaches

trans-border data flow

licensing and intellectual property requirements

privacy

import/export controls like laws around exporting encryption technologies or other software

 

 

Types of Law for CISSP Domain 1

Type of Law Description Key Takeaway
Criminal Law Contains prohibitions against actions like murder, assault, and robbery. Can lead to jail/prison.
Civil Law Addresses contractual disputes, real estate transactions, employment, estate, and probate. Often involves fights over money.
Administrative Law Defines standards of performance and conduct for industries, organizations, and government agencies. E.g., FDA regulations on drug safety.

 

Computer Fraud and Abuse Act (CFAA)

  • Introduction:
    • The first major piece of US cybercrime-specific legislation.
  • Provisions:
    • Made it a crime to:
      1. Access classified or financial information in a federal system without authorization.
      2. Use a federal computer to perpetrate a fraud.
      3. Cause malicious damage to a computer system exceeding $1,000.
      4. Modify medical records in a computer, impairing treatment.

warning Key Takeaway: Main focus is on unauthorized and malicious activities on federal systems.

 

Federal Sentencing Guidelines

  • Purpose:
    • Provides punishment guidelines to assist federal judges in interpreting computer crime laws.
    • Formalized the "prudent man" rule, emphasizing due care.

information Due Care: This is the care that a reasonable person would exercise under the circumstances, also referred to as the "prudent man" rule.

  • Burdens of Proof for Negligence:
    1. Legal Obligation: The accused must have a legally recognized obligation.

      success E.g., Senior executives are responsible for ensuring due care.

    2. Failure to Comply: The accused must have failed to comply with recognized standards.
    3. Causal Relationship: There must be a direct link between the negligence act and the resulting damages.

Federal Information Security Management Act (FISMA)

  • Definition:

    • An act focused on formalizing infosec operations for the federal government.

  • Key Provisions:

    1. Mandatory for federal agencies to have formal infosec operations.
    2. Requires government agencies to include activities of contractors in their security management programs.

  • Historical Context:

    • FISMA repealed and replaced:
      • Computer Security Act of 1987.
      • Government Information Security Reform Act of 2000.

  • Guidelines:

    • NIST (National Institute of Standards and Technology) is tasked with developing the FISMA implementation guidelines.

information Note for CISSP: It's unlikely that the specific details of NIST's guidelines for FISMA will be included in the exam.

 

Digital Millennium Copyright Act (DMCA)

  • Scope:
    • Covers literary, musical, and dramatic acts.
  • Copyrights & Software:
    • Precedent for copyrighting computer software as it can fall under "literary work".
    • Protects only the expression inherent in the software (actual source code).
  • Ownership:
    • Defaults to the creator of a work.
    • Exception: "Works for hire".

      information i.e., the work belongs to you unless you've been hired to make it for someone else.

  • Protection Duration:
    • Typically lasts 70 years, but it can vary.
  • Revision:
    • The 1st major revision included CD/DVD copy protections which introduced Digital Rights Management (DRM) – controversial at the time.

Intellectual Property (IP) and Licensing

  • Trademarks:
    • Cover words, slogans, and logos identifying companies and products/services. E.g., Coca-Cola or IBM.
    • Purpose: Avoid marketplace confusion.
  • Patents:
    • Protect IP rights of inventors.
    • Requirements: Must be new, useful, not obvious.
    • Considerations:
      • Limited protection.
      • Disclosure of technology is required.
      • Not all patented technologies are marketed.

        warning E.g., Apple patents hinting at future products.

  • Trade Secrets:
    • Critical IP that should remain undisclosed.
    • Bypasses the limitations of copyrights and patents.

Licensing

  • Types:
    1. Contractual: Agreements written into a contract between a vendor and customer.
    2. Shrink-wrap: Old-school licensing with physical software purchases.
    3. Click-through: Common online agreements where users accept terms by clicking a button.
    4. Cloud Services: Advanced click-through, where terms are often hidden or require extra clicks.

      danger Often, full details are not immediately visible.

Length of Protections

  • Trademarks:
    • Last for 10 years.
    • Can potentially last indefinitely but must be renewed every decade.

 

Identity Theft and Assumption Deterrence Act

  • Scope:
    • Makes identity theft a crime against the person whose identity was stolen.
  • Penalties:
    • Up to a 15-year prison term and/or a $250,000 fine.
  • Year of Enactment:
    • Became law in 1998.

PCI DSS (Payment Card Industry Data Security Standard)

  • Purpose:
    • Set of security standards designed to ensure all companies that accept, process, store or transmit credit card information maintain a secure environment.

Patents (20 years)

  • Duration:
    • Typically granted for 20 years from the date of application.
  • Examples:
    • Vapes: Patented 20 years ago, became popular after patent expiry.
    • Pharma: Vyvanse/Lisdexamphetamine.
  • Duration:
    • Lasts for the lifetime of the author plus an additional 70 years.
  • Notable Influences:
    • Lobbying by corporations, such as Disney, to continually extend the duration.

Trade Secrets (Indefinitely)

  • Definition:
    • Intellectual property critical to a business that must not be disclosed.

 

Import and Export Controls

Governing Regulations:

  1. International Traffic in Arms Regulations (ITAR)

    • Purpose: Regulates the export of items specifically designated as military and defense items.

  2. Export Administration Regulations (EAR)

    • Purpose:
      • Regulates a broad set of items designed for commercial use that could have military applications.
      • Governs the export of sensitive hardware and software products internationally.

Encryption Export Controls

  • Origin: Department of Commerce's Bureau of Industry and Security.

  • Historical Context: Exporting even low-grade encryption technology outside the US was initially very restrictive.

  • Current Scenario: Now, there are specific categories for retail and mass-market security software. Firms can submit products for review to obtain export approval from the commerce department.

  • Key Point: Encryption export controls still restrict certain encryption technologies from being exported outside the US.

 

Economic Espionage Act of 1996

  • Main Purpose: Made the theft of proprietary economic information an act of espionage.

  • Significant Change: Expanded the legal definition of theft beyond just physical constraints.

  • Definition:

    • Economic Espionage: The theft or misappropriation of a trade secret with the intent or knowledge that the offense will benefit a foreign government, foreign instrumentality, or foreign agent.

Privacy (USA)

Key Definitions:

  • PII: Personality Identifiable Information.

  • PHI: Personal Health Information.

4th Amendment

  • The foundational basis for privacy rights in the USA.

Privacy Act of 1974

  • Purpose:
    • Limits federal government agencies from disclosing private information without the affected individual's prior written consent.

Electronic Communications Privacy Act (EPCA) of 1986

  • Purpose:
    • Criminalizes the invasion of electronic privacy of individuals.

Comm Assistance for Law Enforcement Act (CALEA) of 1994

  • Key Update:
    • Amended EPCA.
    • Permits wiretaps for law enforcement with the appropriate court order, independent of the technology.

Health Insurance Portability and Accountability Act (HIPAA)

  • Provisions:
    • Sets privacy and security regulations.
    • Enforces security measures for hospitals, physicians, and insurance companies.

Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH)

  • Purpose:
    • Updates HIPAA's privacy and security requirements.
  • Coverage:
    • Extends obligations to organizations that handle PHI for a HIPAA-covered entity.

Children's Online Privacy Protection Act (COPAA)

  • Purpose:
    • Sets requirements for websites targeting children or collecting information from them.

Gramm-Leach-Bliley Act (GLBA)

  • Focus:
    • Services, banks, lenders, and insurance.
  • Limitations:
    • Restricts services and the data sharing among them.

Family Educational Rights and Privacy Act (FERPA)

  • Rights:
    • Provides privacy rights to students over 18 and the parents of minor students.

USA PATRIOT Act of 2001

  • Key Points:
    • Expands law enforcement and intelligence agencies' powers.
    • Broadens wiretapping authorizations from one at to a time to a blanket request. 
    • Enacted shortly after 9/11 attacks in 2001.

PCI DSS (Payment Card Industry Data Security Standard)

  • Purpose:
    • Ensures the security of card transactions.
  • History:
    • Created in 2004 by major credit card companies.
  • Objectives:
    1. Maintain a secure transaction network.
    2. Protect stored cardholder data.
    3. Shield systems from malicious hackers.
    4. Safeguard cardholder data both physically and digitally.
    5. Continuously monitor and regularly test networks.
    6. Uphold a formal information security policy.

Privacy (EU)

European Union Privacy Law - 1998

  • Overview:
    • Directive that established privacy measures for protecting personal data processed by information systems.
    • Served as the precursor to EU privacy law.
  • For Non-European Organizations:
    • Need to determine the applicability of these rules when operating or dealing with European data.

Privacy Shield

  • Definition:
    • An agreement between the EU and US detailing specific requirements for processing personal information.
  • Key Requirements:
    1. Informing individuals about data processing activities.
    2. Providing means for dispute resolution.
    3. Cooperating with the Department of Commerce and the Federal Trade Commission.
    4. Certifying businesses that adhere to these regulations.
  • Benefits for Compliant Businesses:
    • Safe harbor from potential prosecution or legal consequences.

GDPR (General Data Protection Regulation)

  • Scope:
    • Applicable to organizations collecting data from EU residents or those processing such information on behalf of another entity.
  • Key Provisions:
    1. Data Breach Notification:
      • Obligates companies to notify authorities of significant data breaches within 72 hours.
    2. Centralized Data Protection Authorities:
      • Creation of unified data protection entities in each EU member state.
    3. Data Access:
      • Individuals have the right to access their personal data.
    4. Data Portability:
      • Allows individuals to transfer personal data between service providers upon their request.
    5. Right to be Forgotten:
      • Lets individuals demand companies to delete their information if it is no longer necessary.
Back to top